Identity management, provided by products such as Novell eDirectory and Microsoft ActiveDirectory can be conceptualized as a database of individual users and one or more credentials that correspond to the users, such as a password. Rudimentary access controls may be enforced by the identity management products, such as by defining that a specific user may read the files in one directory, while another user may not. Similarly, a group of specified users (e.g., Alice, Bob, and Charlie) may be granted permission to modify a particular file, while other users may be granted no access to the file at all. In each case, considerable manual effort is required on the part of an administrator to configure to which resources a user is entitled access, and to what extent access should be granted. One effect is that the resulting access controls may be arbitrarily applied—two users having the same job, requiring the same access to the same files may wind up with different access, depending on which administrator configured their respective accounts.
Additionally, to the extent that access controls are provided by identity management products, they are enforced at the application layer. Thus, it is possible for an attacker to circumvent the access controls imposed by typical identity management tools.
Therefore, it would be desirable to have a better way to secure a computer system.